March 26, 2019 Asus has issued a statement confirming the Asus Live Update Tool attack.
In-house software belonging to tech giant Asus has been compromised by nefarious actors, a report by Kaspersky Lab says – later confirmed by Asus. The Asus Live Update Utility software has been utilised as a means to install a malicious backdoor on some 57,000 Windows computers – if not hundreds of thousands more beyond its reach – and subsequent malware on a select, targeted few.
Asus confirmed the attack took place in a statement, claiming “a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.”
The initial report by Kaspersky Lab claims that a compromised server over at Asus HQ was utilised to send digitally-signed and ‘secure’ software, complete with compromising backdoor, unwittingly to users’ PCs between June and November 2018. Once installed, it would search for pre-determined MAC addresses, hinting toward the targeted nature of this attack, and, if found, connect to a third-party server that would install malware on these machines.
If you’re worried you may be infected after the attack, you can utilise the Asus online security diagnostic tool to check (provided by Asus).
Asus customer service has also been reaching out to affected users to ensure the backdoor, or any malicious software, is removed. It’s also implementing a fix for its Live Update software (ver. 3.6.8) to implement multiple security verification measures and strengthened its server architecture to make this kind of attack far more difficult in the future.
The attack was initially discovered after Kaspersky Lab implemented a new supply-chain detection technology to its scanning tool to catch this style of dangerous code within legitimate packages, and subsequently reported over at Motherboard. The security company plans on releasing a full technical paper on the proposed Asus attack at the Security Analyst Summit in Singapore.
Of course, Kaspersky Lab is also offering up a salacious name for the attack: Operation ShadowHammer – no doubt making acts of this nature even more alluring to those with the means and will to carry them out. I propose the next large hack be called operation stinker, or operation ****hat. No one wants to be the mastermind behind operation ****hat.
The malicious file was actually a three-year-old Asus update file, the report states. This file was injected with malicious code and then spoofed utilising a genuine Asus certificate. Due to the age of the file utilised, Kaspersky does not believe the attackers had access to the entirety of Asus’ systems, only the part necessary for signing certificates for client systems to recognise these as legitimate.
Kaspersky Lab also attempting to contact Asus in January to report the attack. However, Asus denied the claims. It reportedly continued to utilise one of the two compromised certificates in the few months following, but has since ceased its use.
Motherboard subsequently contacted a secondary security company, Symantec, to confirm if its customers received the malicious code. It confirmed that at least 13,000 were affected. The full breadth of the attack is not yet confirmed, but estimated in the hundreds of thousands.
“This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” Vitaly Kamluk, direction of Kaspersky Lab’s Global Research and Analysis team says to Motherboard.
If you were not one of the 600 or so MAC addresses targeted by the attack, the malware would remain relatively low-key – hence it managed to avoid detection for so long. However, the backdoor remained open for exploit on affected systems.
“They were not trying to target as many users as possible,” Kamluk continues. “They wanted to get into very specific targets and they already knew in advance their network card MAC address, which is quite interesting.”
The targeted nature of this attack is a fascinating one, and the security researchers believe the Asus attack may have been connected to a previous – potentially a precursor – CCleaner attack. Asus’ servers were listed among those affected by the widespread CCleaner malware update, and Kaspersky Lab believes this could have been how the attackers gained access to the necessary components for the most recent bout of hacks.